Inhibiting a penetration attack

ABSTRACT

A technique includes providing a security monitor to at least detect a penetration attack on a circuit assembly that contains the security monitor. The technique includes inhibiting success of the penetration attack, including flexibly mounting the security monitor to the circuit assembly to allow the security monitor to move in response to the security monitor being contacted during the penetration attack.

BACKGROUND

A given computer system (a data center, for example) that processes and/or stores sensitive data typically employs measures to protect the data from unauthorized access. For example, the computer system may process and/or store such sensitive information, as credit cardholder data, patient records, personnel information, intellectual property, and so forth.

The protective measures may guard against unauthorized access while the sensitive data is in motion (while the data is being communicated across communication channels, for example). For example, the computer system may encrypt data that is communicated across communication channels. The protective measures may further guard against access to cryptographic keys that are stored by the computer system and used by the system to encrypt/decrypt the sensitive data.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1A is a perspective view of a secure key manager according to an example implementation.

FIG. 1B is a top view of a circuit assembly of the secure key manager according to an example implementation.

FIG. 2 is a cross-sectional view of the circuit assembly taken along line 2-2 of FIG. 1B according to an example implementation.

FIG. 3 is a cross-sectional view of the circuit assembly illustrating, in conjunction with FIG. 2, movement of a daughter card of the assembly during a punch through attack.

FIG. 4 is a flow diagram depicting a technique to inhibit a penetration attack according to an example implementation.

FIG. 5 is a schematic diagram illustrating a data center according to an example implementation.

FIG. 6 is a schematic diagram illustrating an architecture of the secure key manager according to an example implementation.

DETAILED DESCRIPTION

An electronic system that processes and/or stores sensitive data (data representing patient records, personnel records, credit cardholder information, banking information, intellectual property, and so forth) may encrypt and decrypt the sensitive data while in transit. In this manner, the electronic system may communicate encrypted, sensitive data for internal communications within the electronic device (communications between the system's processing cores and memories, for example), as well as communicate encrypted, sensitive data in external communications between the system and other electronic systems.

For the purpose of encrypting and decrypting the sensitive data, the electronic system may use one or multiple cryptographic keys, called “security keys” herein. In this manner, the electronic system may store the security keys in one or more protected memories of the system. Because access to the security keys allows access to the underlying sensitive data, the electronic system may have a physical security barrier to prevent, or at least inhibit, unauthorized access to the stored security key(s). For example, sensitive components of the electronic system, which store security keys, may be enclosed by a locked, metal container, which forms at least part of a physical security barrier to guard against unauthorized access to the stored keys. In this manner, the metal enclosure may have no open ports through which a tool (a probe, a punch through device, and so forth) may be inserted for such purposes as sensing electrical signals (representing the keys, for example), physically extracting memory storing security keys, and so forth.

The electronic system may still be vulnerable to a “penetration attack,” even when enclosed in a metal container. A penetration attack is a physical attack on an electronic system in which a tool is used to penetrate the system's physical security barrier (such as a metal container) for purposes of gaining access to information (such as one or multiple security keys) that is stored in the system. For example, the tool may contain a drill or punch to form a hole in the metal container (and/or other enclosure or security barrier) of the electronic system, and a probe may be inserted into the hole to sense one or multiple electrical signals of the electronic system for purposes of retrieving the security key(s). Another type of penetration attack, called a “punch through attack” herein, employs a tool to penetrate into integrated circuits of the electronic system for purposes of extracting memory-containing circuitry and reading any data stored therein.

For purposes of thwarting a penetration attack, the electronic system may contain one or multiple penetration detection boundaries. The penetration boundary(ies) allow the electronic system to detect an ongoing penetration attack, so that the electronic system may timely take corrective action. In this regard, when a penetration attack is detected, the electronic system may take such actions as alerting a system administrator; alerting security personnel; erasing security keys before the keys are extracted; power off or shutting down operations of the electronic system, and so forth.

A given penetration detection boundary may be formed from one or multiple traces in one or multiple metal layers of a circuit substrate (a printed circuit board substrate (PCB), for example). The trace(s) are arranged in pattern(s) so that when a penetration attack occurs, which penetrates the circuit substrate, at least one trace is broken. Due to signal interruption(s) caused by the broken trace(s), the electronic system is alerted to the attack. More specifically, the electronic system may contain a circuit called a “security monitor” herein, which may be coupled to penetration detection traces to detect a signal interruption that indicates a penetration attack.

The security monitor may be unable to respond quickly enough during a penetration attack to prevent sensitive information from being extracted from the electronic system. For example, a punch through attack may punch out, or remove, memory-containing circuitry from the electronic system before the system has time to undertake operations to erase sensitive data stored in the circuitry. Moreover, a punch through attack may disable the security monitor before the security monitor can respond.

Systems and techniques are disclosed herein, which provide additional time for a security monitor to respond to a penetration attack, such as a punch through attack. In particular, in accordance with example implementations, the security monitor is mounted on a circuit substrate assembly, referred to as a “daughter card” herein; and the daughter card, is flexibly mounted to another circuit substrate called a “base card” herein. The flexible mounting of the daughter card to the base card creates a spring-like cushion, which allows the daughter card to move if the card is contacted with a tool during a punch through attack. In this manner, because the flexible mounting allows the daughter card to move with the punch through tool, the punch through tool is at least momentarily unable to penetrate circuitry of the daughter card when the tool first contacts the card. Although the punch through tool may be able to penetrate the daughter card after the tool eventually presses the daughter card into the base card, a time delay is created between the time of initial contact and the time that penetration occurs. Therefore, additional time is created for the security monitor to successively take and complete corrective action to prevent the punch through attack from being successful.

Referring to FIG. 1A, as a more specific example, an electronic system (a processor-based data center, for example) may contain one or multiple secure key managers, such as example secure key manager 100, for purposes of managing, protecting, serving and preserving security keys for the system. The secure key manager 100 may, in accordance with example implementations, be a blade that is constructed to be received in a backplane bus slot of a computer system rack.

The secure key manager 100 may have one or multiple physical security barriers that protect the sensitive components of the manager 100 against a penetration attack. For example, as depicted in FIG. 1A, the secure key manager 100 may have an outer metal enclosure 110 that surrounds, or encloses, a circuit board assembly 120. The circuit board assembly 120 contains various integrated circuits (ICs) that, in general, perform the functions of the secure key manager 100 and store sensitive information (security keys, data encrypted by security keys, and so forth) for the manager 100.

In accordance with example implementations, the metal enclosure 110 may, in general, have no ports, or openings, through which a penetration attack may occur (through which a punch through tool or probe may be inserted, for example) for purposes of gaining access to the security key(s) and/or other sensitive information stored inside the secure key manager 100. The secure key manager 100 may communicate with external circuitry using (as examples) connector sockets, optical signaling, inductive coupling connections, and so forth. The metal enclosure 110 may include various security mechanisms, such as (as an example) key locks 112, which secure the enclosure 110 from being opened (by removal of a front panel 111 of the enclosure 110, for example) except when two keys (keys held by two authorized employees, for example) are concurrently inserted and turned.

Referring to FIG. 1B, in accordance with an example implementation, the circuit board assembly 120 includes a base circuit board substrate assembly 121, called a “base card 121” herein. As an example the base card 121 may include a circuit substrate 123, such as a printed circuit board (PCB), and various ICs may be mounted on the upper surface of the substrate (for the orientation of the circuit board assembly 120 depicted in FIG. 1B). One or multiple ICs of the base card 121 may contain a memory that stores sensitive information for the secure key manager 100.

The circuit substrate 123, in accordance with example implementations, is a multiple layer substrate, which contains metal layers and intervening insulating layers. One or multiple metal layers of the circuit substrate 123 may contain traces for purpose of routing signals, power and ground for the ICs of the base card 121.

Moreover, one or multiple metal layers of the circuit substrate 123 may contain one or multiple traces that are patterned to form a penetration detection boundary of the secure key manager 100. In this manner, the penetration detection boundary is constructed to provide an indication to the secure key manager 100 when a penetration attack at least partially penetrates the circuit substrate 123.

More specifically, in accordance with example implementations, the secure key manager 100 contains a circuit called a “security monitor 134,” which is electrically coupled to the traces of the penetration boundary of the base card 121 for purposes of being alerted when a penetration attack or attempted penetration attack through/into the circuit substrate 123. In this manner, the security monitor 134 monitors the traces of the base card's penetration detection boundary for purposes of detecting when a signal interruption (indicative of a penetration attack through the substrate 123) occurs. In particular, the penetration detection boundary of the base card 121 is positioned to alert the security monitor 134 when a penetration attack (more specifically, a “punch through attack”) originating from a region below the base card 121 (for the orientation depicted in FIG. 1B) occurs. The security monitor 134 may also be coupled to a penetration detection boundary that provides an alert for a penetration attack that originates from a region above the base card 121 (for the orientation depicted in FIG. 1B). In this manner, the circuit board assembly 121 may be covered with another circuit board substrate (a flexible circuit substrate, for example), which is not shown in FIG. 1B. This other circuit board substrate contains a penetration detection boundary and is electrically coupled (via at least one connector, not shown) to the security monitor 134, in accordance with example implementations.

In accordance with example implementations, the security monitor 134 is disposed on a circuit board substrate assembly 126, called a “daughter card 126” herein. As depicted in FIG. 1B, the daughter card 126 may be smaller than the base card 121; the security monitor 134 may be mounted to a circuit substrate 127 (a PCB substrate, for example) of the daughter card 126; and the security monitor 134 may, in general, occupy most of the upper surface area of this circuit board substrate 127. The circuit substrate 127 may, in general, be a multiple layer substrate, which contains metal layers and intervening insulating layers.

One or multiple metal layers of the circuit substrate 127 may contain traces for purpose of routing signals, power and ground for the ICs of the daughter card 126, such as the security monitor 134 as well as other circuitry described herein. Moreover, one or multiple metal layers of the circuit substrate 127 may contain traces that form a penetration detection boundary, which may be electrically coupled to the security monitor 134.

In accordance with example implementations, the daughter card 126 is not rigidly mounted to the base card 121. Rather, in accordance with example implementations, the daughter card 126 contains one or multiple flexible connections that mechanically and electrically couple the daughter card 126 to the base card 121. For the specific implementation that is depicted in FIG. 1B, two flexible connections mechanically and electrically couple the daughter card 126 to the base card 121. As an example, a given flexible connection may be formed from a flexible printed circuit substrate, or flexible circuit 130 (also called a “flex circuit”), which has ends 125 and 129 that terminate on the base card 121 and daughter card 126, respectively.

As a more specific example, in accordance with some implementations, the end 125 of the flexible circuit 130 may terminate in a connector 124 that is disposed on the base card 121. As examples, the connector 124 may be a zero insertion force (ZIF), a low insertion force (LIF) connector, a surface mount connector or a through hole connector. Other connectors may be used, in accordance with further example implementations. In general, the end 125 of the flexible circuit 130 is secured, or mechanically held, by the connector 124, and electrical traces of the flexible circuit 130, which extend into the end 125 form electrical connections with electrical contacts of the connector 124. The opposite end 129 of the flexible circuit 130 may likewise terminate in a connector (not shown) that is mounted to the daughter card 126, such as a ZIF, LIF, surface mount or through hole connector, as examples.

FIG. 2 depicts a cross-sectional view of the circuit assembly 120 of FIG. 1B, with the addition of potting material 208. The potting material 208 may be, as an example, an electrically nonconductive, insulating, gel, epoxy or other material, which coats the upper surface of the circuit assembly 120. The secure key manager 100 may not include potting material, in accordance with further example implementations. As depicted in FIG. 2, the flexible circuits 130 have sufficient respective lengths to suspend the daughter card 126 over the base card 121. In this manner, as depicted in FIG. 2, a clearance, or gap G, exists between the bottommost surface of the daughter card 126 and the uppermost surface of the base card 121.

The gap G, in combination with the flexible nature of the circuits 130, creates a spring-like cushion that allows the daughter card 126 to move if the daughter card 126 is contacted by a tool from above during a punch through attack. This movement, in turn, momentarily prevents the daughter card 126 from exerting a sufficient reaction force on the tool, which would otherwise allow the tool to punch into the card 126 (and possibly extract memory circuitry of the card 126, for example).

More specifically, referring to FIG. 3 in conjunction with FIG. 2, when contacted by a tool 310 from above during a punch through attack, the daughter card 126 moves with the tool 310 until the tool 310 presses the daughter card 126 firmly against the base card 121. When the tool 310 is able to press the daughter card 126 against the base card 121, the tool 310 may be able to punch into the card 126 and possibly extract memory circuitry of the card 126 (by extracting the circuitry through a hollow point of the tool 310, for example). However, due to the flexible mounting of the daughter card 126 to the base card 121, a delay is created between the time when the tool 310 first contacts the daughter card 126 and the time at which punch out of a portion of the card 126 may occur. Therefore, even if the punch through attack succeeds in extracting circuitry from the daughter card 126, the security monitor 134 has additional time created by flexible mounting of the daughter card 126 to take corrective action. In this manner, the additional time may allow the security monitor 134 to erase sensitive information (keys, encrypted data and so forth) before memory circuitry of the security monitor 134 (or of another component) is extracted and/or before the security monitor 134 is disabled due to the punch through attack.

In accordance with example implementations, the security monitor 134 contains one or multiple memories that store sensitive data for the secure key manager 100. Therefore, in response to detecting a penetration attack, the security monitor 134 may erase its own memory contents. Moreover, in accordance with example implementations, the security monitor 134 may erase the memory contents (via communications or signaling) of other devices of the secure key manager 100, when a penetration attack is detected.

Referring to FIG. 4, to summarize, in accordance with example implementations, a technique 400 includes providing (block 404) a security monitor to at least detect a penetration attack on a circuit assembly that contains the security monitor. The technique 400 includes inhibiting (block 408) a penetration attack, including flexibly mounting the security monitor to the circuit assembly to allow the security monitor to move in response to the security monitor being contacted during the penetration attack.

In accordance with example implementations, the daughter card 126 may have features that create additional time for the security monitor 124 to respond to a punch through attack (in addition to the time created by the flexible mounting of the daughter card 126 to the base card 121). In this manner, referring to FIG. 2, in accordance with example implementations, the security monitor 134 is mounted on top surface of the circuit substrate 127 of the daughter card 126, and energy storage circuits 140, 150 and 152 are mounted on the bottom surface of the circuit substrate 127. The energy storage circuits 140, 150 and 152 provide temporary power for memory-containing circuitry of the security monitor 134, which might be removed in a punch through attack.

More specifically, when the circuit assembly 120 is intact, the circuit components (the security monitor 134, energy storage circuits 140, 150, 152, and so forth) of the daughter card 126 receive electrical power through electrical conductors of one or both flexible circuits 130. In this manner, the electrical conductors may be voltage supply and ground rails that communicate electrical power from power supply/distribution circuitry that is disposed on the base card 121 to the circuit components of the daughter card 126. The energy storage circuits 140, 150 and 152 receive the power from the base card 121 and store energy in response thereto. As an example, the energy storage circuits 140, 150 and 152 may include spatially distributed arrays of capacitors that are charged from the power that is communicated from the base card 121; and the security monitor 134 may be an integrated circuit package, such as a microprocessor core-based package. In accordance with further example implementations, the energy storage circuit 140, 150 or 152 may include one or multiple devices that store energy other than capacitors, such as (as examples) electrochemical cells and flat batteries.

In accordance with example implementations, the energy storage circuits 140, 150 and 152 are disposed directly beneath associated circuits of the security monitor 134, which are independently autonomous and perform important functions for the security monitor 134, such as processor core circuits containing memories and other memory-containing autonomous circuits, for example. Moreover, vias of the circuit substrate 127 of the daughter card 126 electrically couple the energy storage circuits 140, 150 and 152 to the power supply terminals of their associated circuits of the security monitor 134. Therefore, in the event that a punch through attack removes one of these circuits of the security monitor 134, there is a relatively high likelihood that its associated temporary memory storage, located directly beneath, is also removed. As a result, even though a given circuit may be removed from the daughter card 126 in a punch through attack, the circuit receives power for an additional time after its removal, thereby allowing the circuit time to respond to the attack (e.g., additional time is created to allows the extracted circuit to erase its associated memory contents, for example).

It is noted that the daughter card 126 may have circuit components, other than/in addition to the security monitor 134 and energy storage circuits 140, 150 and 152, in accordance with further example implementations. Moreover, in accordance with further example implementations, the daughter card 126 may have more than three or less than three energy storage circuits.

Referring FIG. 5, in accordance with example implementations, the secure key manager 100 may be part of a data center 500, in which the secure key manager 100 manages, stores and serves keys for one or multiple clients 504 of the data center 500. As an example, the secure key manager 100 and clients 504 may be blades that are inserted into one or more racks of the data center 500.

In accordance with example implementations, the secure key manager 100 may have an architecture that is schematically represented in FIG. 6. Referring to FIG. 6, in general, the secure key manager 100 may include hardware 602 and machine executable instructions, or “software,” 650. In general, the hardware 602 may include one or multiple central processing unit (CPU) cores 606. In accordance with example implementations, the security monitor 134 (see FIG. 2) may include one or multiple CPU cores 606; and in accordance with example implementations, one or multiple CPU cores 606 of the security monitor 134 may have an associated energy storage circuit disposed beneath the core 606, as described above. In accordance with example implementations, a given CPU core 906 may include onboard memory, such as level one (L1) cache 608 and a level two (L2) cache 610; and sensitive data (keys and so forth) may be stored in one or both caches 608 and 610.

The hardware 602 may also include memory that is accessed by the CPU core(s) 606, such as a level three (L3) cache 612 and a system memory 616. In accordance with an example implementation, sensitive data may be stored in the L3 cache 612 and/or system memory 616; and a given energy storage circuit may be disposed between circuitry containing the memory 616, L3 cache 616 and at least one of the processor cores 606.

The hardware 602 may include other and/or different components than the components that are depicted in FIG. 6 in further example implementations, such as a memory controller 614, a network interface 618, and so forth.

The software 650 may include a set of machine executable instructions that, when executed by one or multiple CPU core(s) 606, cause the CPU core(s) 606 to form a secure key manager engine 652 to manage, serve and protect keys as well as perform various cryptographic ciphers. The software 650 may include a set of machine executable instructions that, when executed by one or multiple CPU core(s) 606, cause the CPU core(s) 606 to form a security monitor engine 653 to perform one or multiple functions of the security monitor 134 (see FIG. 2), such as providing signals to penetration detection traces, receiving signals from the penetration detection traces to detect a penetration attack, taking corrective action in response to detecting a penetration attack, and so forth. The software 650 may include different and/or other machine executable instructions that when executed may form various other software components, such as an operating system 654, device drivers, applications and so forth.

Other implementations are contemplated, which are within the scope of the appended claims. For example, in accordance with further example implementations, a security monitor may be flexibly mounted to a circuit assembly in an electronic system other than a secure key manager and/or be part of a system other than a data center system.

It is noted that references herein to direction and orientation, such as “upper,” “lower,” top,” “bottom,” and so forth are used herein to describe the figures; and the substrates, circuit assemblies, cards, and so forth, may be used in a variety of orientations, depending on the particular implementation. For example, the circuit assembly 120, in accordance with example implementations, may be used in an orientation that is flipped over or turned on its inside, relative to the orientation that is depicted in FIGS. 1B, 2 and 3.

While the present techniques have been described with respect to a number of embodiments, it will be appreciated that numerous modifications and variations may be applicable therefrom. It is intended that the appended claims cover all such modifications and variations as fall within the scope of the present techniques. 

What is claimed is:
 1. A method comprising: providing a security monitor to at least detect a penetration attack on a circuit assembly containing the security monitor; and inhibiting success of the penetration attack, comprising flexibly mounting the security monitor to the circuit assembly to allow the security monitor to move in response to the security monitor being contacted during the penetration attack.
 2. The method of claim 1, further comprising mounting the security monitor on a first substrate, wherein mounting the security monitor to the circuit assembly comprises mounting the first substrate to a second substrate of the circuit assembly to suspend one of the first and second substrates relative to the other substrate.
 3. The method of claim 1, further comprising: communicating power to circuitry of the security monitor through at least one conductor; and providing an energy storage circuit to provide temporary power to the circuitry monitor in the event the penetration attack isolates the circuitry from receiving the communicated power.
 4. The method of claim 1, wherein inhibiting success of the penetration attack further comprises: in response to the security monitor detecting the penetration attack, using the security monitor to take corrective action to the attack.
 5. The method of claim 4, wherein using the security monitor to take corrective action comprises: erasing at least one security key stored on the circuit assembly.
 6. An apparatus comprising: an enclosure; at least one penetration detection layer to detect a penetration attack directed to a secure region inside the enclosure; and an assembly disposed in the secure region, the assembly comprising: a first circuit board; second circuit board having associated circuitry comprising a security monitor, the security monitor being coupled to the at least one penetration detection layer to detect the penetration attack; and a spring mount attached between the first and second circuit boards to provide a delay between a time that the penetration attack contacts the second circuit board and a time that the penetration attack removes at least part of the circuitry associated with the second circuit board to allow the security monitor to respond to the penetration attack to inhibit success of the attack.
 7. The apparatus of claim 6, wherein the spring mount comprises a flexible connector having a first end connected to the first circuit board and a second end connected to the second circuit board.
 8. The apparatus of claim 7, wherein: the first circuit board comprises a power distribution circuit to provide a power signal; and the flexible connector communicates the power signal to the circuitry of the second circuit board.
 9. The apparatus of claim 8, further comprising an energy source mounted to the second circuit board, wherein the energy source charges using the power signal to provide a temporary source of power for the circuitry of the second circuit board.
 10. The apparatus of claim 7, wherein: the first circuit board comprises a penetration detection layer to detect a penetration attack occurring through the first circuit board; and the flexible connector communicates at least one signal from the penetration detection layer of the first circuit board to the security monitor.
 11. The apparatus of claim 7, wherein the second circuit comprises at least one metal layer comprising a penetration detection trace.
 12. An apparatus comprising: a first substrate; a penetration attack monitoring circuit mounted to the first substrate, the penetration attack monitoring circuit comprising a memory and the memory to store a key; a base substrate; a flexible mounting to suspend the first substrate over the base substrate and cause the first substrate to be pushed toward the base substrate in response to the first substrate being contacted during a penetration attack, wherein the penetration attack monitoring circuit detects the penetration attack and takes corrective action in response thereto to inhibit the penetration attack from revealing the key.
 13. The apparatus of claim 12, wherein the penetration attack monitoring circuit erases the key in response to detecting the penetration attack.
 14. The apparatus of claim 12, further comprising a potting material to cover the first substrate and the penetration attack monitoring circuit.
 15. The apparatus of claim 12, wherein the base comprises a first set of at least one penetration detection layer, the first substrate comprises a second set of at least one penetration detection layer, and the penetration detection layers of the first and second sets are electrically coupled to the penetration attack monitoring circuit. 